Warning: subjective arguments abound in this article.
In a separate thread and elsewhere I've stated my aversion to the "mark of the web" feature implemented by Microsoft.
I'm not particularly dogmatic about it, but people keep saying "what's wrong with it?" so here's my case, which is marginally on-topic for n.p.m.security. You've been warned.
My recommendation is that all Mozilla people stay a million miles away from implementing this idea.
The web is far from ideal: pornography, fraud and depression caused by isolation are amongst its problems. The web however, is also roughly speaking a good idea. It's what we've got, and many people are disposed to support it.
Microsoft does not support the web. Microsoft is a business that makes money out of market places, a business that makes money out of product sales. For example, in my country figures I heard recently (I cannot vouch for their accuracy) put Microsoft sales at 1 billion AUD annually, and after-market services for MS products at 7 billion AUD annually.
That's 7 billion AUD of Windows PC people scurrying around putting in drivers, managing Exchange and SQL Server installations and coding in Visual Basic. That's a lot of service that MS doesn't provide. MS is a product company, not a service company, even if its new products are blurred to the point of being service-like media offerings such as MSN and so on.
The core bits of the web: browsers, servers, languages, protocols, basic development tools, and increasingly even infrastructure (22% of servers ship with Linux now, I hear) are all free. This is not a product market. It's a service market, where cost of labour is the determining factor. Such a market isn't very appetising to a company with demanding shareholders. The Visual Basic sector, where you can sell products, training, certification, upgrades and so on is much more appealing.
If the web grows more influential, this non-product Web market sector will grow, as it has so far. That increases the risk of the Web surplanting Windows as the default user interface for computer users. That's been a risk since the web was born, and it's still a risk. Web-based apps are everywhere.
Microsoft knows all this and wants to sell products. The way to sell products to the web sector is to have an alternative that's better than the web. By creating a market for products that are better than the web, people using free web products go back to buying off Microsoft. They have to compete for work; and that means labour competition or better value-added services for clients. If MS products are better than the web, then that's how to get the job done.
There's no room here to list the probably hundreds of arguments that MS has marshalled over the last 5 or more years in preparation for this big pitch to everyone. It should be obvious though, that there's years of work and planning gone into it.
Relevant here, the "mark of the web" is just one way that Microsoft can clearly differentiate itself. If the web is somehow disreputable, but Longhorn/Mono/MSN/etc is not, then the Microsoft alternative is clearly better. If the web falls into disrepute for security problems or other negative attributes, and MSN does not (because you have to get a web broadcast license from Microsoft to put your web site up on MSN, or because everything that goes through Longhorn is "inside the Microsoft circle of trust", whatever that means) then MSN or some equivalent will rule and the web will wilt. It's common sense.
So the free software community, and those that run libertarian web sites are in a corner. The web has to be defended "as is", against the conservative arguments of Microsoft about its flaws, and against aggressive arguments about "better" solutions. The web "as is" has to be upheld as a quality medium, on which no stain can be set.
Now suppose that Microsoft "marks" every document that comes from the web as suspect, and every document from a Longhorn/MSN as safe. Effectively, the web gains a "dirty bit". Marketting executives tell consumers: Microsoft protects you from the dirty web by clearly labelling everything that comes from there. They say this as part of the process of differentiating their new products from the Web. Product developers make it so that access to Longhorn interfaces are only N clicks away, whereas access to web interfaces are N+1 or N+2 clicks away, due to popups and other checks designed to "combat the dirty web". Any user with half a brain can see which is easier and which is therefore worth having.
Microsoft then turns around as says: "the whole web is dirty". It turns to the Mozilla Foundation and says: "hey, you guys (gals) agree with us - you use the dirty bit too. We all think the web is dirty. That's why we (Microsoft) invented this alternative that users can buy. Everyone agrees it's a good idea - ask the Mozilla Foundation. They've got the same problems marking dirty old web pages that we do. We're all mucking out the web stable, but at least we (Microsoft) have this alternative that you can buy that doesn't have that problem. Everyone else is stuck in the stone ages."
These speculative arguments that Microsoft could put aren't fair or even entirely rational, but that doesn't matter. They're persuasive rhetoric.
Of all the Microsoft arguments that might be brought to bear, at least this one about "mark of the web" can be easily parried with this argument:
There is nothing fundamentally insecure about a web page. There are some security concerns, yes, but that's true for all file formats. Web pages are as safe and as valuable as any other content, any other document or any other media. There is no need to add special warning information to saved web pages, because there is nothing specially wrong with them. They're as good as any other document. They require no special enhancements once the author has finished with them. A Web page is as reliable a message carrier as any document. Jut read it with a proper tool.
I argue that Web supporters would be in a better position if they could point to browser software such as Firefox and say to the public: "What on Earth is Microsoft babbling about? Firefox processes web pages in a secure way as it always has. There's nothing wrong with web pages. There's no need to modify them or mark them or post-process them. Web page are fine the way they are. Microsoft has lost its mind."
As I said, it's not a big issue in my life, but while the technical debate goes to and fro about how to protect users, which is clearly important, it's also clear that a negative attitude towards web pages just plays into competitor's hands. The security features that so much work has gone into are valuable, but shouldn't go as far as casting doubt on web pages as reliable media for messages.
- N.
_______________________________________________ Mozilla-security mailing list [email protected] http://mail.mozilla.org/listinfo/mozilla-security
